I added option -k to search for keys in dictionaries. A usage example can be found in blog post “PDF Analysis: Back To Basics“.
Wednesday 28 December 2016
Wednesday 14 December 2016
It contains a cab file with 2 executables, which are executed after extraction (no surprise):
Monday 12 December 2016
Just a small change in this version: an indicator (O) for streams containing OLE 1.0 embedded data:
And plugin_http_heuristics also detects XOR-encoding starting with the second character of the key.
Friday 9 December 2016
This new version displays information about the signature (provided pyasn1 is installed), and adds option -g to extract data (pefile.get_data) from the pefile like resources.
Options -x, -a, -D and -S can be used to dump data (hex, ascii, binary and strings).
Sunday 27 November 2016
This new version of xor-kpa adds the option -x to encode/decode, and also prints the hexadecimal value of the found keys.
Tuesday 22 November 2016
When I left my last position, my friends and colleagues with whom I’ve worked for years gave me a little challenge: a PDF with a hidden ciphertext. At first I had to use Excel to decipher the ciphertext, but later I wrote a small Python tool to help me.
The simple ciphers supported by this tool are XOR, ROT, Vigenère and subtract (I added that last one because it was used in a maldoc). You can use the man page (option -m) to learn more.
Monday 21 November 2016
This new version supports different encodings besides base64 (but the name remains base64dump).
The new encodings are hexadecimal (hex), \u unicode (bu) and %u unicode (pu).
The shellcode, escaped with %u, can be extracted with base64dump:
There’s also a new option to do a string dump: -S
And a last small update: this version also counts unique bytes, i.e. the number of different byte values found in the data.
Sunday 20 November 2016
A small update to zipdump: this version displays the ZIP comment (if present) and also counts unique bytes, i.e. the number of different byte values found in the data.
Saturday 19 November 2016
A small update to byte-stats: this version also counts unique bytes, i.e. the number of different byte values found in the data.
Friday 18 November 2016
shellcode2vba.py is a Python program to create VBA code to inject shellcode. This new version has 1 new option:
Option –suffix allows you to instruct the program to add a suffix to the VBA function names.